WAS capabilities

Hi, we have started using WAS. Will like to ask the support from the community or the Qualys team to explain to what extent Qualys WAS supports analyzing the following technologies that are used in web applications:

The information available in the manuals, online help and community forum is very scarce. The information about the capabilities should be available to properly estimate if a web app can be fully analyzed by WAS before procuring additional scans.

I will do my best to address your question in a generic Community post format, but this may be best handled with a call/meeting to discuss any specific needs or coverage you are looking for to coincide with our best practices for scanning. This can be initiated with your TAM and may involve a WAS SME (Subject Matter Expert).

JavaScript - Yes

Java - Server side vulns, yes. We do not load plugin for client side Java vulns. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

Ajax - Yes, for the most part utilizing our SmartScan feature. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

HTML 5 - Yes, for the most part. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

ActiveX - ActiveX QIDs/vulns exist in VM (Vulnerability Management). WAS may be able to provide "some" coverage. However, if you have a web app that will ONLY run in IE and you cannot use a spoofed user agent, your results may vary. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

Silver Light - Server side vulns, yes. We do not load plugin for client side SilverLight vulns. We are focusing on newer technologies such as HTML5. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

Flash - Server side vulns, yes. We do not load plugin for client side Flash vulns. We are focusing on newer technologies such as HTML5. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

PhP - Yes

Single page applications - Yes, for the most part utilizing our SmartScan feature. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

Web services - Yes for some, such as SOAP. As for REST based web services this is currently targeted for Q4 2016.

REST - As for REST based web services this is currently targeted for Q4 2016.

GWT - Yes, for the most part utilizing our SmartScan feature. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

Frameworks like AngularJS, Bootstrap, DWR, GWT, ASP.NET, Ext JS, Prototype JS, Spring MVC - Yes, for the most part utilizing our SmartScan feature. More in-depth discussion with your TAM and SME may be best approach if you have additional questions.

The authentication issue for selenium may just be a valid regex validator or another possible configuration setting causing this behavior. We need to pin down the auth issue, then look at CSRF testing and AJAX links QIDs and whether the SmartScan feature is properly running and configured for you. I will ask support to escalate this case and also get in touch with your TAM. A SME may have to assist you directly to remedy these issues. This approach will best help you in the most efficient manner. Further diagnostics via the Community will probably prove difficult.